Restrictions configuration (Windows Mobile policy)

With the Restrictions configuration you define restrictions for devices.


Setting/Field Description
Forbid SD card Users cannot access the storage card. This does not prevent apps from accessing the storage card.
Forbid unencrypted device Internal storage encryption is turned on.
Important: After internal storage encryption has been turned on on a device, you cannot turn it off again through a policy.
Note: You must enable BitLocker on the device before applying the policy.
Forbid action center notifications above lock screen No Action Center notifications are displayed above the device lock screen.
Forbid manual addition of non-Microsoft email accounts Forbids adding all types of email accounts, as well as Exchange, Office 365 and accounts.
Forbid Microsoft account connection The Microsoft account is the system account used for synchronization, backup and the Store.
Forbid developer mode The Windows developer mode is turned off.
Forbid Windows Store The app store is unavailable.
Forbid native browser The Microsoft Edge browser is unavailable.
Forbid camera The Privacy setting Let apps use my camera is turned off.
Telemetry Select if the device can send diagnostic and usage telemetry data:
  • Allowed
  • Allowed, except for secondary data requests
  • Not allowed


Setting/Field Description
Forbid copy and paste The clipboard is unavailable.
Forbid Cortana Cortana is turned off.
Forbid "Save as" for Office files Users cannot save a file on the device as an Office file.
Forbid screen capture Screen captures are turned off.
Forbid sharing of Office files Users cannot share Office files.
Forbid "Sync my settings" Device settings cannot be synchronized to and from other Windows devices.
Forbid voice recording Voice recording is turned off.


Setting/Field Description
Forbid Wi-Fi Wi-Fi connections are turned off.
Forbid internet sharing Internet Connection Sharing (ICS) is turned off.
Forbid Wi-Fi Sense (hotspot auto-connect) The device does not automatically connect to Wi-Fi hotspots.
Forbid hotspot reporting The device does not send information about Wi-Fi connections.
Forbid manual configuration Users cannot configure Wi-Fi connections beyond the connections that are configured by Sophos Mobile Control.


Setting/Field Description
Forbid NFC Near Field Communication (NFC) is turned off.
Forbid Bluetooth Bluetooth is turned off.
Forbid USB connection USB connection between the device and a computer to sync files or to use developer tools to deploy or debug applications is forbidden. This does not affect USB charging.

Roaming and costs

Setting/Field Description
Forbid cellular data roaming Data connections over foreign cellular networks are turned off.
Forbid VPN over cellular VPN connections over cellular networks are turned off.
Forbid VPN roaming over cellular VPN connections over foreign cellular networks are turned off.

Security and privacy

Setting/Field Description
Forbid Bing Vision to store images from Bing Vision search Bing Vision does not store the contents of the images captured when performing Bing Vision search.
Forbid use of location when searching The search cannot utilize location information.
Forbid manual installation of root certificates Users cannot manually install root and intermediate CA certificates.
Forbid locating All location privacy settings on the device are turned off. No apps can use the location service. This also forbids Sophos Mobile Control to locate the device.
SafeSearch permission The level of search result filtering that is enforced on the device:
  • Moderate: Moderate filtering against adult content. Valid search results are not filtered.
  • Strict: Highest filtering against adult content.


Setting/Field Description
Forbid user to reset the phone Users cannot factory reset the device through the control panel or hardware key combinations.
Forbid manual MDM unenrollment Users cannot delete the workplace account.